订阅内容

Before we get started with the updates for Red Hat Enterprise Linux 7.8, we recommend taking a serious look at moving to Red Hat Enterprise Linux 8. RHEL 7 is now in Maintenance Support and will no longer receive newer versions of container tools. Users who need access to the latest versions of Podman, Buildah and Skopeo, should move to RHEL 8 where the container-tools module is updated once a quarter. For those of you required to use containers on RHEL 7, this post will provide you a strategic and technical update.

Red Hat understands that many customers cannot upgrade immediately. So, similar to our  update of container tools in RHEL 7.7, we have released one final update to the container tools provided in RHEL 7.8. Here’s a quick summary:

  1. Rootless containers are now Generally Available and fully supported in RHEL Server and RHEL Workstation (release notes)

  2. Major updates to container tools: Podman 1.6.4, Buildah 1.11.6 and Skopeo 0.1.41 (release notes)

  3. Updated container images (release notes)

Rootless Containers Generally Available (GA)

Users of RHEL 7.8 can now use Podman 1.6.4 to find, run, build and share containers as regular users (also called rootless). This builds on the work we did in RHEL 7.7 (Three New Container Capabilities in Red Hat Enterprise Linux 7.7) as well as RHEL 7.6 (A preview of running containers without root in RHEL 7.6).

The new rootless feature can be used with a fresh installation of RHEL 7.8 or by upgrading from RHEL 7.7. When doing a fresh install, just add a new user ID and the new version of the shadow-utils package will take care of everything (/etc/subuid and /etc/subgid entries). With an upgrade from RHEL 7.6 or older, you will need to add the UID/GID mappings for existing users. For more detailed information, follow the Managing Containers guide in the RHEL 7 documentation.

This GA version of rootless containers in RHEL 7.8 uses fuse-overlay by default. With fuse-overlay container images are mounted more quickly, resulting in faster startup times for running containers. Overlay is also the most tested graph driver upstream and offers users the all around best experience. 

While the tech preview of rootless containers RHEL 7.7 used the VFS driver (no fuse-overlay support). This had the trade-off using a lot more disk space for slightly better runtime performance. While the VFS driver is still available for users in RHEL 7.8, Red Hat strongly recommends using fuse-overlay with bind mounts (instead of VFS) for any data requiring native throughput performance. 

The containers team wants to thank the kernel and file system teams for their work back porting this into the RHEL 3.10 kernel, enabling customers who can’t move from RHEL 7 just yet.

Updates to Container Tools

Also with RHEL 7.8, we are excited to announce a final major update to the container tools provided in the Extras channel. This includes stable versions of Podman 1.6.4, Buildah 1.11.6, and Skopeo 0.1.40. These versions were specifically chosen to be in line with the versions released in RHEL 8.2, making it easier to move to RHEL 8.

Here’s a short list of some interesting new features:

  • Initial support for the CNI DNS plugin, which allows containers to resolve the IPs of other containers via DNS name, has been added.

  • Podman now supports anonymous named volumes, created by specifying only a destination to the -v flag to the podman create and podman run commands.

  • The podman info command, when run without root, now shows information on UID and GID mappings in the rootless user namespace.

  • Added podman build --squash-all flag, which squashes all layers (including those of the base image) into one layer.

  • The podman network create, podman network rm, podman network inspect, and podman network ls commands have been added to manage CNI networks used by Podman.

  • The podman volume create command can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems.

  • Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmap and newgidmap executables) by passing --storage-opt ignore_chown_errors.

  • Rootless Podman containers with --privileged set will now mount in all host devices that the user can access.

  • Rootless Podman now supports health checks (#3523).

For a deeper dive, please see the man pages, product documentation, and release notes.

An Eye Towards RHEL 8

Users thinking about moving to RHEL 8, should think through two major areas - container tools and container images.

Container Tools

This is planned to be the final release of RHEL 7 with major new features in the container tools software stack. This means Podman will not be updated beyond 1.6.4, Buildah will not be updated beyond 1.11.6, and Skopeo will not be updated beyond 0.1.41. These versions were specifically chosen for stability because they are to be supported until the end of life for RHEL 7. 

They were also chosen to be the same versions as RHEL 8.2. This makes it easier for users to move to RHEL 8 with confidence. For more information on tools available versions and support options, please see the Container Tools AppStream - Content Availability page.

Users who rely on the docker or atomic command in RHEL 7 should look to migrate their applications to Podman, Buildah and Skopeo in RHEL 8. Neither command (docker and atomic) are included nor supported in RHEL 8. The versions of the docker and atomic commands in RHEL 7 will continue to receive security updates, but will not be refreshed beyond docker 1.13 and atomic 1.22.1. For more information on moving to Podman, Buildah and Skope in RHEL 8, please see our guide: Building, running, and managing containers.

Container Images

If you are still using applications based on RHEL / UBI 7, or even RHEL 6, container images, it’s important to remember that most workloads can be migrated to RHEL 8 simply by running them on a RHEL 8 container host. 

The general guidance is:

  • If you are using an unprivileged container (doesn’t need the --privileged flag), it will likely run fine on a newer container host.

  • Older applications on older container images almost always work on newer container hosts.

  • Newer container images running on older container hosts may try to use APIs which don’t exist on older hosts. This is compounded if running privileged and accessing APIs outside of the syscall layer.

 

RHEL host / container support grid showing which userspaces are supported on RHEL 7 / 8.

For a deeper dive with some examples of what will and won’t work, please see Container Compatibility guide. 

For future releases of container tools, stay tuned to RHEL 8 where our future development will happen.


关于作者

At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.

McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事